“We don`t need no stinkin` badges!” Hacking electronic door

“We don’t need no stinkin’ badges!”
Hacking electronic door access controllers
Shawn Merdinger
security researcher
• EDAC technology
– Trends, landscape
– Vendors
– Architecture
• EDAC real-world analysis
– S2 Security NetBox
• Research, exposure, vulnerabilities, attacks
• Countermeasures & recommendations
Learning outcomes
Awareness of security issues in EDAC systems
Major players, vendors, resellers
Pen-testing knowledge
Research and testing methods
Choice quotations
“When hackers put viruses on your home computer it's a nuisance; when they unlock
doors at your facility it's a nightmare.”
John L. Moss, S2 Security CEO
STAD, Volume14, Issue 1. 1 January, 2004
Q . About security of buildings around town….what was your response?
ATTY GEN. RENO: “Let's do something about it.”
Q. Is this a good thing that has happened?
ATTY GEN. RENO: I think any time you expose vulnerabilities, it's a good thing.
Department of Justice
Weekly Media Briefing, 25 May 2000
EDAC Technology Overview
• Trend is towards IP from proprietary solution
– Convergence of IP, Video
– Adding other building systems (HVAC, elevators, alarms)
– Cost savings, integration, increased capabilities
• Most controllers use embedded Linux
• Wide range of vendors in EDAC space
S2 Security
HID Global Vertx
Bosch Security
Reach Systems
Cisco Systems (Richards Zeta)
DSX Access
RS2 Technologies
EDAC Deployment
• Often you’ll see
– Managed by building facilities people
– Stuck in a closet and forgotten
– Long lifecycles of 5-10 years
• Distanced from IT Security
Physical security is not your domain. It’s ours.
Patching, upgrades, maintenance. What? Huh?
Policies regarding passwords, logging don’t apply
3rd party local service contractor adds doors,
hardware configuration
EDAC Architecture
S2 Security NetBox
• Built by S2 Security
• 9000+ systems installed worldwide
– Schools, hospitals, businesses, LEA facilities, etc.
• Same box is sold under multiple brand names
– Built by S2 Security
• NetBox
– Distributed by Linear
• eMerge 50 & 5000
– Resellers’ re-branding
• Sonitrol eAccess
S2 Security NetBox
S2 Security: Reading up
• Preparation and information gathering
– S2 Security case studies, press releases
– “The Google”
– Lexis-Nexis Academic Universe, ABI-Inform, etc.
• Example: able to determine from http://tinyurl.com/s2mysql
Samba client
Lineo Linux distribution (just like Zarus! )
Processor is ARM Core IXP 425 chip @ 533 MHz
Only 15 months from design to 1st customer shipping
“S2 did not have much prior experience with open source”
“MySQL is used to store everything from reports, user information,
customized features, facility diagrams, and more”
NetBox Components
MySQL / Postgres
NetBox Component: HTTP Server
• GoAhead Webserver TCP/80
• Poor choice
– Sixteen CVEs
• CVE-2003-1568, CVE-2002-2431, CVE-2002-2430, CVE2002-2429, CVE-2002-2428, etc.
• No vendor response
– Typical example in CVE-2002-1951
• Vendor response:
GoAhead….contacted on three different occasions
during the last three months but supplied no
meaningful response.
"Data security is a challenge, and unfortunately, not everyone has risen to it.“
John L. Moss, S2 Security CEO
NetBox Component: MySQL
• MySQL server listening on 3306
• Outdated SQL
– Version 2.X uses MySQL version 4.0
• 3.X uses Postgres
– Just how old is MySQL 4.0?
NetBox Component: NmComm
Service listening on TCP/7362
Performs multicast discovery of nodes
Daemon coded by S2 Security
Patent issued 15 December, 2009
– “System and method to configure a network node”
• http://tinyurl.com/s2patent
“Gentlemen, start your fuzzers!”
NetBox Component: FTP & telnet
• Cleartext protocols for a security device
– Telnet to manage
– FTP for DB backups
• Poor security-oriented documentation
"We see some vendors fitting their serial devices with Telnet adapters, which
simply sit on the network transmitting unsecured serial data.”
John L. Moss, S2 Security CEO
NetBox Components: Features!
• Lots of extras and licenses options
– Elevators, HVAC, Burglar
– VoIP
• Increases complexity
• Expands attack surface
– Daemons
– Libraries
NetBox Components: Features!
• View floorplans
NetBox unauthenticated reset
• VU#571629
• Remote, unauthenticated factory reset via
crafted URL
NetBox Unauth Access to Backup
• VU#228737
– Unauth attacker can dload DB backups
– Nightly DB backup is hardcoded CRONJOB
• File name is “full_YYYYMMDD_HHMMSS.1.dar”
• Predictable naming convention with timestamp
• Uncompress the.dar format
– Backup DB is in “var/db/s2/tmp/backup/all.dmp”
– Attacker gets backup DB = Game Over
• Entire system data in DB!
NetBox Unauth Access to Backup
• Extraction of administrator MySQL_64bit hash
• Affects NetBox 2.X (mysql) and 3.X (postgres)
• Hash is trivial to crack
• Attacker now has admin access
NetBox Pwnage: Doors
• Open any door
– Right now
– Or schedule
NetBox Pwnage: Cameras
• Backup file contains IP camera information
– Name, IP address, admin username and password
• NetBox 2.X and 3.X systems vulnerable
• Attacker now owns IP cameras
"Most hackers don't care about watching your lobby. If they gain access to the
network, they're going to go after financial data and trade secrets.”
Justin Lott, Bosch security marketing
NetBox Pwnage: DVRs
• User/Pass to DVRs in backup DB
• Poor setup guides for DVRs
• Recommends keeping default user/pass
– On-Net Surveillance Systems Network Video Recorder document
NetBox Fingerprinting
• Remote Identification
– MAC OID registered to S2 Security
– Nmap service fingerprint submitted (nmap 5.20)
Recommendations: Vendor
• Vendor
Conduct security evaluations on your products
Provide secure deployment guides
Tighten-up 3rd party integration
– More details: changes, auditing, debug levels
– Ability to send to log server
– Use a “better” HTTP daemon
– Enable HTTPS by default
– Modify banners, reduce footprint, etc.
– Change to SFTP
• Telnet
– Change to SSH
Recommendations: Customers
– Demand better security!
• From vendor, reseller, and service contractor
• Expect fixes and patches
– Manage your EDAC like any other IT system
• Patching, change management, security reviews
– Technical
• Isolate eMerge system components
– VLANs, MAC auth, VPN, restrict IP, etc.
• Contact
– Follow-up questions
– Security evaluations